Subprocessor List
Document owner: Chief Privacy Officer (CPO)
Version: 3.0
Effective date: January 1, 2026
Last updated: January 15, 2026
Classification: Public — Trust Center
Review cadence: Continuous updates with 30-day customer notification
Company: Acme Cloud, Inc.
Address: 1200 Market Street, Suite 400, San Francisco, CA 94103, USA
Primary contacts: trust@acmecloud.com | security@acmecloud.com | privacy@acmecloud.com
Definitions
| Term | Definition |
|---|
| Subprocessor | A third party engaged by Acme Cloud to Process Customer Personal Data on behalf of Customer |
| Infrastructure Subprocessor | A subprocessor providing cloud hosting, content delivery, or core infrastructure services |
| Functional Subprocessor | A subprocessor providing application functionality such as support, communication, or analytics |
| Security Subprocessor | A subprocessor providing security monitoring, threat detection, or incident response capabilities |
| Customer Personal Data | Personal Data processed by Acme Cloud on behalf of Customer pursuant to the Agreement |
| Processing | Any operation performed on Personal Data including collection, storage, use, transmission, and deletion |
| Data Residency | The geographic location where Customer Personal Data is stored at rest |
| Data Transit | Geographic locations through which Customer Personal Data may pass during transmission |
| SOC 2 | Service Organization Control 2 audit attestation |
| ISO 27001 | International standard for information security management systems |
| DPA | Data Processing Agreement governing subprocessor's data protection obligations |
| SCC | Standard Contractual Clauses for international data transfers |
| DPF | Data Privacy Framework (EU-US, UK Extension, Swiss-US) |
| BAA | Business Associate Agreement for HIPAA-covered data |
| PCI DSS | Payment Card Industry Data Security Standard |
| Transfer Mechanism | Legal basis for international data transfers (DPF, SCCs, adequacy) |
Scope and Applicability
1.1 Document Purpose
This document lists all third-party subprocessors engaged by Acme Cloud, Inc. to Process Customer Personal Data. It is provided to fulfill Acme Cloud's obligations under:
| Regulation | Requirement | DPA Reference |
|---|
| GDPR Article 28(2) | Prior authorization for subprocessor engagement | Section 5 |
| UK GDPR Article 28(2) | Same as GDPR | Section 5 |
| LGPD Article 39 | Subprocessor disclosure | Section 5 |
| CCPA/CPRA | Service provider disclosure | Section 11 |
| SCCs Clause 9 | Subprocessor notification | Section 10 |
1.2 Subprocessor Categories
Acme Cloud engages subprocessors in the following categories:
| Category | Description | Data Processed |
|---|
| Infrastructure | Cloud hosting, storage, CDN | All Customer Personal Data |
| Database | Managed database services | All Customer Personal Data |
| Security | Monitoring, threat detection, vulnerability management | Technical data, security logs |
| Communication | Email, messaging, notifications | Contact information, message content |
| Support | Help desk, customer success | Support interaction data |
| Analytics | Product analytics, error tracking | Usage data, technical data |
| Payment | Payment processing, billing | Billing contact, payment tokens |
| Authentication | Identity verification | Authentication credentials |
1.3 Data Processing Scope
| Processing Activity | Subprocessor Categories Involved | Customer Personal Data Types |
|---|
| Platform hosting | Infrastructure | All Customer Personal Data |
| Data storage | Infrastructure, Database | All Customer Personal Data |
| Content delivery | Infrastructure | Cached content, session data |
| Security monitoring | Security | Technical logs, access patterns |
| Email notifications | Communication | Email addresses, notification content |
| Customer support | Support | Support tickets, contact information |
| Product analytics | Analytics | Pseudonymized usage data |
| Error tracking | Analytics | Error context, user identifiers |
| Billing | Payment | Billing contact, subscription data |
| Single sign-on | Authentication | SSO tokens, user identifiers |
Infrastructure Subprocessors
2.1 Amazon Web Services (AWS)
| Attribute | Details |
|---|
| Legal Entity | Amazon Web Services, Inc. |
| Headquarters | Seattle, Washington, USA |
| Processing Locations | US (us-east-1, us-west-2), EU (eu-west-1, eu-central-1), UK (eu-west-2), APAC (ap-southeast-1, ap-northeast-1) |
| Customer Data Residency | Per customer selection (US, EU, UK, APAC) |
| Services Used | EC2, RDS, S3, Lambda, SQS, SNS, KMS, Secrets Manager, CloudFront, Route 53 |
| Processing Purpose | Infrastructure hosting, compute, storage, database, secrets management |
| Data Types Processed | All Customer Personal Data |
| Security Certifications | SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018, PCI DSS, FedRAMP, HIPAA |
| Transfer Mechanism | EU-US DPF (certified), SCCs |
| DPA Status | AWS Data Processing Addendum incorporated |
| BAA Available | Yes |
| Engagement Date | January 2022 |
| Review Date | January 2026 (annual) |
AWS Services Detail:
| Service | Purpose | Data Processed |
|---|
| Amazon EC2/ECS | Application compute | Transient processing |
| Amazon RDS | Primary database | All persistent data |
| Amazon S3 | Object storage, backups | Documents, attachments, backups |
| Amazon KMS | Encryption key management | Encryption keys (metadata only) |
| Amazon Secrets Manager | Secrets storage | Application secrets |
| Amazon CloudFront | Content delivery | Cached static content |
| Amazon SQS/SNS | Message queuing | Job payloads |
| Amazon Route 53 | DNS management | No Personal Data |
2.2 Cloudflare
| Attribute | Details |
|---|
| Legal Entity | Cloudflare, Inc. |
| Headquarters | San Francisco, California, USA |
| Processing Locations | Global edge network (250+ cities) |
| Customer Data Residency | Customer data not persistently stored (transit only) |
| Services Used | CDN, WAF, DDoS protection, DNS, SSL |
| Processing Purpose | Content delivery, security, performance optimization |
| Data Types Processed | Request metadata, cached content (transient) |
| Security Certifications | SOC 2 Type II, ISO 27001, PCI DSS |
| Transfer Mechanism | EU-US DPF (certified), SCCs |
| DPA Status | Cloudflare DPA incorporated |
| BAA Available | Yes |
| Engagement Date | March 2022 |
| Review Date | March 2026 (annual) |
2.3 Neon
| Attribute | Details |
|---|
| Legal Entity | Neon, Inc. |
| Headquarters | San Francisco, California, USA |
| Processing Locations | AWS regions per customer selection |
| Customer Data Residency | Follows Acme Cloud AWS region selection |
| Services Used | Serverless PostgreSQL |
| Processing Purpose | Database services, data storage |
| Data Types Processed | All Customer Personal Data in database |
| Security Certifications | SOC 2 Type II |
| Transfer Mechanism | EU-US DPF, SCCs |
| DPA Status | Neon DPA incorporated |
| BAA Available | Upon request |
| Engagement Date | June 2024 |
| Review Date | June 2026 (annual) |
Security Subprocessors
3.1 Datadog
| Attribute | Details |
|---|
| Legal Entity | Datadog, Inc. |
| Headquarters | New York, New York, USA |
| Processing Locations | US (us-east-1), EU (eu-west-1) |
| Customer Data Residency | US for all customers (security data only) |
| Services Used | Infrastructure monitoring, APM, Log Management, SIEM |
| Processing Purpose | System monitoring, security event correlation, alerting |
| Data Types Processed | Technical logs, performance metrics, security events |
| Security Certifications | SOC 2 Type II, ISO 27001, HIPAA, PCI DSS |
| Transfer Mechanism | EU-US DPF (certified), SCCs |
| DPA Status | Datadog DPA incorporated |
| BAA Available | Yes |
| Engagement Date | January 2023 |
| Review Date | January 2026 (annual) |
Data Minimization Controls:
| Control | Implementation |
|---|
| PII masking | Automated masking of email, names, identifiers in logs |
| Retention limits | 30-day hot, 90-day cold for security logs |
| Access controls | Role-based access limited to Security team |
| Encryption | TLS in transit, AES-256 at rest |
3.2 CrowdStrike
| Attribute | Details |
|---|
| Legal Entity | CrowdStrike, Inc. |
| Headquarters | Austin, Texas, USA |
| Processing Locations | US (primary), EU (available) |
| Customer Data Residency | US for corporate endpoints (no Customer Personal Data) |
| Services Used | Falcon Endpoint Protection, Threat Intelligence |
| Processing Purpose | Endpoint detection and response, malware protection |
| Data Types Processed | Endpoint telemetry from Acme Cloud corporate devices only |
| Security Certifications | SOC 2 Type II, ISO 27001, FedRAMP |
| Transfer Mechanism | EU-US DPF, SCCs |
| DPA Status | CrowdStrike DPA incorporated |
| BAA Available | Yes |
| Engagement Date | April 2023 |
| Review Date | April 2026 (annual) |
3.3 Snyk
| Attribute | Details |
|---|
| Legal Entity | Snyk Limited |
| Headquarters | Boston, Massachusetts, USA |
| Processing Locations | US, EU |
| Customer Data Residency | N/A (code analysis only) |
| Services Used | Dependency scanning, container scanning |
| Processing Purpose | Vulnerability detection in code dependencies |
| Data Types Processed | Source code metadata, dependency lists (no Customer Personal Data) |
| Security Certifications | SOC 2 Type II, ISO 27001 |
| Transfer Mechanism | EU-US DPF, SCCs |
| DPA Status | Snyk DPA incorporated |
| BAA Available | N/A |
| Engagement Date | February 2023 |
| Review Date | February 2026 (annual) |
Communication Subprocessors
4.1 Resend
| Attribute | Details |
|---|
| Legal Entity | Resend, Inc. |
| Headquarters | San Francisco, California, USA |
| Processing Locations | US |
| Customer Data Residency | US (email delivery infrastructure) |
| Services Used | Transactional email delivery |
| Processing Purpose | Sending platform notifications, alerts, reports |
| Data Types Processed | Email addresses, notification content |
| Security Certifications | SOC 2 Type II |
| Transfer Mechanism | EU-US DPF, SCCs |
| DPA Status | Resend DPA incorporated |
| BAA Available | Upon request |
| Engagement Date | September 2024 |
| Review Date | September 2026 (annual) |
Email Processing Details:
| Email Type | Personal Data | Retention |
|---|
| Account verification | Email address | 30 days |
| Password reset | Email address | 24 hours |
| Platform notifications | Email address, notification content | 30 days |
| Scheduled reports | Email address, report data | 30 days |
4.2 Twilio
| Attribute | Details |
|---|
| Legal Entity | Twilio Inc. |
| Headquarters | San Francisco, California, USA |
| Processing Locations | US (primary), EU (available) |
| Customer Data Residency | US for SMS processing |
| Services Used | SMS notifications (optional, Enterprise feature) |
| Processing Purpose | SMS alerts, MFA verification codes |
| Data Types Processed | Phone numbers, message content |
| Security Certifications | SOC 2 Type II, ISO 27001, HIPAA |
| Transfer Mechanism | EU-US DPF (certified), SCCs |
| DPA Status | Twilio DPA incorporated |
| BAA Available | Yes |
| Engagement Date | July 2023 |
| Review Date | July 2026 (annual) |
4.3 Slack (Salesforce)
| Attribute | Details |
|---|
| Legal Entity | Salesforce, Inc. (Slack Technologies, LLC) |
| Headquarters | San Francisco, California, USA |
| Processing Locations | US, EU |
| Customer Data Residency | Per workspace configuration |
| Services Used | Slack integration (optional customer feature) |
| Processing Purpose | Customer-configured Slack notifications |
| Data Types Processed | Notification content configured by Customer |
| Security Certifications | SOC 2 Type II, ISO 27001, HIPAA |
| Transfer Mechanism | EU-US DPF (certified), SCCs |
| DPA Status | Salesforce DPA incorporated |
| BAA Available | Yes |
| Engagement Date | October 2023 |
| Review Date | October 2026 (annual) |
Support Subprocessors
5.1 Intercom
| Attribute | Details |
|---|
| Legal Entity | Intercom R&D Unlimited Company |
| Headquarters | Dublin, Ireland |
| Processing Locations | US, EU |
| Customer Data Residency | US (with EU data hosting available) |
| Services Used | In-app messaging, help center, customer support |
| Processing Purpose | Customer communication, support ticket management |
| Data Types Processed | User identifiers, email, support conversations |
| Security Certifications | SOC 2 Type II, ISO 27001, HIPAA |
| Transfer Mechanism | EU-US DPF (certified), SCCs |
| DPA Status | Intercom DPA incorporated |
| BAA Available | Yes |
| Engagement Date | January 2023 |
| Review Date | January 2026 (annual) |
Support Data Processing:
| Data Type | Purpose | Retention |
|---|
| User email | Support identification | Active + 3 years |
| Conversation history | Support context | 3 years |
| User metadata | Personalization | Active + 3 years |
| Attached files | Issue resolution | 1 year |
Analytics Subprocessors
6.1 PostHog
| Attribute | Details |
|---|
| Legal Entity | PostHog, Inc. |
| Headquarters | San Francisco, California, USA |
| Processing Locations | US (us-east-1), EU (eu-central-1) |
| Customer Data Residency | EU for Acme Cloud (product analytics) |
| Services Used | Product analytics, session replay, feature flags |
| Processing Purpose | Understanding product usage, improving user experience |
| Data Types Processed | Pseudonymized user identifiers, usage events, session data |
| Security Certifications | SOC 2 Type II |
| Transfer Mechanism | EU data residency selected (no transfer) |
| DPA Status | PostHog DPA incorporated |
| BAA Available | Upon request |
| Engagement Date | March 2024 |
| Review Date | March 2026 (annual) |
Data Minimization Controls:
| Control | Implementation |
|---|
| Pseudonymization | User IDs hashed before transmission |
| PII exclusion | Email, names excluded from analytics |
| Sampling | Session replay sampling (10% of sessions) |
| Retention | 2-year analytics data retention |
6.2 Sentry
| Attribute | Details |
|---|
| Legal Entity | Functional Software, Inc. (dba Sentry) |
| Headquarters | San Francisco, California, USA |
| Processing Locations | US |
| Customer Data Residency | US (error data only) |
| Services Used | Error tracking, performance monitoring |
| Processing Purpose | Application error detection, debugging |
| Data Types Processed | Error context, stack traces, user identifiers (optional) |
| Security Certifications | SOC 2 Type II, ISO 27001 |
| Transfer Mechanism | EU-US DPF (certified), SCCs |
| DPA Status | Sentry DPA incorporated |
| BAA Available | Yes |
| Engagement Date | February 2023 |
| Review Date | February 2026 (annual) |
Payment Subprocessors
7.1 Stripe
| Attribute | Details |
|---|
| Legal Entity | Stripe, Inc. |
| Headquarters | San Francisco, California, USA |
| Processing Locations | US, EU, UK |
| Customer Data Residency | Per card network requirements |
| Services Used | Payment processing, subscription billing, invoicing |
| Processing Purpose | Processing subscription payments, managing billing |
| Data Types Processed | Billing contact, payment method tokens, transaction data |
| Security Certifications | PCI DSS Level 1, SOC 2 Type II, ISO 27001 |
| Transfer Mechanism | EU-US DPF (certified), SCCs |
| DPA Status | Stripe DPA incorporated |
| BAA Available | N/A (payment processor) |
| Engagement Date | January 2022 |
| Review Date | January 2026 (annual) |
Payment Data Handling:
| Data Type | Processing | Storage |
|---|
| Cardholder name | Tokenized by Stripe | Stripe only |
| Card number | Never touches Acme Cloud systems | Stripe only (PCI DSS) |
| Billing address | Stored for invoicing | Acme Cloud database |
| Payment history | Transaction records | Acme Cloud + Stripe |
Authentication Subprocessors
8.1 Okta
| Attribute | Details |
|---|
| Legal Entity | Okta, Inc. |
| Headquarters | San Francisco, California, USA |
| Processing Locations | US, EU |
| Customer Data Residency | Per customer workspace configuration |
| Services Used | SSO, MFA, user directory (Acme Cloud workforce only) |
| Processing Purpose | Employee authentication, access management |
| Data Types Processed | Acme Cloud employee credentials (not Customer Personal Data) |
| Security Certifications | SOC 2 Type II, ISO 27001, FedRAMP |
| Transfer Mechanism | EU-US DPF (certified), SCCs |
| DPA Status | Okta DPA incorporated |
| BAA Available | Yes |
| Engagement Date | January 2022 |
| Review Date | January 2026 (annual) |
Note: Okta is used for Acme Cloud workforce identity only. Customer SSO is handled directly by Acme Cloud platform without Okta involvement.
Subprocessor Assessment Process
9.1 Pre-Engagement Assessment
Before engaging a new subprocessor, Acme Cloud conducts:
| Assessment Area | Evaluation Criteria | Documentation |
|---|
| Security posture | SOC 2 or equivalent certification | Certification review |
| Privacy compliance | GDPR/CCPA compliance, DPA availability | DPA review |
| Data handling | Processing scope, data residency, retention | Technical documentation |
| Transfer mechanisms | DPF certification, SCC availability | Legal review |
| Contract terms | DPA terms equivalent to our DPA | Contract review |
| Business viability | Financial stability, market position | Business assessment |
9.2 Assessment Scoring
| Score | Risk Level | Approval Requirement |
|---|
| 90-100 | Low | Privacy team approval |
| 75-89 | Medium | CPO approval |
| 60-74 | High | CPO + CISO approval with controls |
| Below 60 | Unacceptable | Engagement not permitted |
9.3 Ongoing Monitoring
| Monitoring Activity | Frequency | Owner |
|---|
| Security certification review | Annual | GRC Team |
| DPA compliance check | Annual | Privacy Team |
| Security questionnaire | Annual | Security Team |
| Incident monitoring | Continuous | Security Operations |
| Breach notification monitoring | Continuous | Privacy Team |
| Contract renewal review | Per renewal | Legal + Privacy |
Change Notification Process
10.1 Notification Types
| Change Type | Notice Period | Notification Method |
|---|
| New subprocessor | 30 days | Email to designated contact |
| Subprocessor replacement | 30 days | Email to designated contact |
| Subprocessor removal | Informational (no objection right) | Email or Trust Center update |
| Processing scope change | 30 days | Email to designated contact |
| Location change | 30 days | Email to designated contact |
10.2 Notification Content
Each notification includes:
| Element | Description |
|---|
| Subprocessor identity | Legal name, headquarters |
| Processing purpose | Specific data processing activities |
| Data types | Categories of Personal Data processed |
| Locations | Processing and storage locations |
| Effective date | When engagement becomes effective |
| Objection deadline | Last date to submit objection |
| Objection process | How to submit objection |
10.3 Objection Process
Customers may object to new subprocessors:
Step 1: Written Objection
1.1. Submit objection in writing within notice period
1.2. State specific, reasonable data protection grounds
1.3. Propose alternatives if available
Step 2: Good Faith Resolution
2.1. Acme Cloud reviews objection
2.2. Parties discuss potential solutions
2.3. Acme Cloud may: address concerns, offer alternative configuration, or proceed
Step 3: Resolution Outcomes
3.1. If resolved, continue service with agreed modifications
3.2. If unresolved, Customer may terminate affected services
3.3. Termination right is exclusive remedy for objection
10.4 Subscription to Updates
Customers may subscribe to subprocessor updates:
| Subscription Method | How to Subscribe |
|---|
| Email notification | Contact privacy@acmecloud.com with subscription request |
| Trust Center RSS | Subscribe to Trust Center RSS feed |
| In-app notification | Enable Trust Center notifications in platform settings |
Framework Mapping Appendix
Regulatory Subprocessor Requirements
| Regulation | Requirement | Acme Cloud Implementation |
|---|
| GDPR Art. 28(2) | Prior authorization | 30-day notice + objection right |
| GDPR Art. 28(4) | Equivalent obligations | DPA flow-down to all subprocessors |
| UK GDPR Art. 28 | Same as GDPR | Same implementation |
| LGPD Art. 39 | Subprocessor disclosure | Published list |
| CCPA 1798.140(ag) | Written contract | Service provider contracts |
| SCCs Clause 9 | Prior notification | 30-day notice process |
SOC 2 Mapping
| SOC 2 Criteria | Subprocessor Control | Evidence |
|---|
| CC3.2 | Risk assessment | Pre-engagement assessment |
| CC9.1 | Vendor management | Assessment process, monitoring |
| CC9.2 | Contract requirements | DPA, security terms |
| CC9.3 | Ongoing monitoring | Annual reassessment |
ISO 27001 Mapping
| ISO 27001 Control | Subprocessor Control | Evidence |
|---|
| A.15.1.1 | Supplier policy | Assessment policy |
| A.15.1.2 | Supplier agreements | DPA, contracts |
| A.15.1.3 | Supply chain security | Security assessments |
| A.15.2.1 | Monitoring and review | Annual review process |
| A.15.2.2 | Change management | Change notification process |
Current Subprocessor Summary Table
| Subprocessor | Category | Location | Data Types | Transfer Mechanism |
|---|
| Amazon Web Services | Infrastructure | US, EU, UK, APAC | All Customer Data | DPF, SCCs |
| Cloudflare | Infrastructure | Global (edge) | Transient only | DPF, SCCs |
| Neon | Database | Per AWS region | All Customer Data | DPF, SCCs |
| Datadog | Security | US | Security logs | DPF, SCCs |
| CrowdStrike | Security | US | Endpoint telemetry | DPF, SCCs |
| Snyk | Security | US | Code metadata | DPF, SCCs |
| Resend | Communication | US | Email data | DPF, SCCs |
| Twilio | Communication | US | SMS data | DPF, SCCs |
| Slack | Communication | US, EU | Notification content | DPF, SCCs |
| Intercom | Support | US, EU | Support data | DPF, SCCs |
| PostHog | Analytics | EU | Usage data | EU residency |
| Sentry | Analytics | US | Error data | DPF, SCCs |
| Stripe | Payment | US, EU | Billing data | DPF, SCCs |
| Okta | Authentication | US | Workforce only | DPF, SCCs |
Related Trust Center documents
dpa, privacy policy, security overview, encryption standards, data retention
Document revision history
| Version | Date | Author | Summary of changes |
|---|
| 1.0 | 2024-06-01 | Legal & Compliance | Initial Trust Center publication |
| 2.0 | 2025-03-15 | GRC Program | SOC 2 Type II alignment refresh; expanded subprocessors |
| 2.5 | 2025-09-01 | Security Engineering | Encryption standards update; ISO 27001 mapping |
| 3.0 | 2026-01-15 | Trust Center Program | Full procurement-grade expansion; 34-document set |
Contact
Acme Cloud, Inc.
1200 Market Street, Suite 400
San Francisco, CA 94103, USA
Visit EthicPages